Office 365 + DMARC: Best Practices for Protecting Your Company & Customers From Phishing Attacks

Gartner includes DMARC, known by its full name as Domain-based Message Authentication, Reporting & Conformance, in its list of top 10 security projects for 2021. DMARC integration into an organization’s Office 365-based email system is best to avoid being impersonated in email attacks.

Let’s look at the benefits of deploying DMARC in Office 365 environments and tips to help you succeed in deploying DMARC in your organization.

Why O365 is better with DMARC for outbound email

Fraudulent emails appearing to come from a legitimate, trusted source lead to nearly $7.5 billion in business losses worldwide each month. Ponemon Institute estimates that data breaches can cost businesses an average of $3.86 million each time.

DMARC is designed for this purpose. DMARC, an email authentication standard, is used to protect email systems from being unauthorized by senders. It acts as a policy layer in Sender Policy Framework (SPF) and DomainKeys Identified Mail(DKIM). In addition, DMARC gives instructions to email systems about how to dispose of these unauthorized messages safely.

The most strict policy for enforcement is rejected (p=reject), where email messages that fail DMARC authentication will be stopped from reaching their intended recipients. Quarantine (p=quarantine) is a less rigid policy setting. It places those emails into the spam folder and monitor only (p=none), protects the recipients but helps organizations monitor if their domain has been spoofed.

O365 already has robust security measures, including DMARC, which provides ample protection against inbound phishing and spam attacks. You don’t even need to do anything to enable DMARC on the email you receive from Office 365. In addition, you don’t even need to set up DMARC on an Office 365 tenant if you do not use a custom domain to send outbound emails but instead use the onmicrosoft.com standard subdomain.

You will need to set up DMARC if your Office 365 tenant has configured it to use a custom domain (ex. yourcompany.com) or if third parties send you to emails such as SendGrid or MailChimp. So how do you implement DMARC in Office 365? First, let’s look at some best practices and some better practices to help you get the most from your DMARC deployment.

Sound: Use Best Practices when deploying DMARC for Office 365

When implementing DMARC, we recommend a gradual deployment. It is essential for large companies that implement DMARC across multiple domains. In addition, it helps to ensure that your email flow doesn’t suffer.

Many cybersecurity companies recommend Multi-step plans for DMARC implementation. Each step should be executed starting with one subdomain, moving on to other subdomains, and ending with the top-level domain of the organization before proceeding to the next. These are the best practices for implementing DMARC:

First, monitor the impact. We recommend that large organizations set up DMARC across multiple domains by creating a simple monitoring mode record. A monitoring-mode record, a DMARC TXT file with p=none policy, is a DMARC record. Many companies publish a DMARC-TXT record with p=none to see how many emails they might lose if they publish a stricter DMARC policy. It allows them to monitor and make changes before they do.

In your plans, including DKIM and SPF. You won’t safely reject or quarantine mail using DMARC unless SPF and DKIM are implemented on all legitimate sources. Your DMARC reports will reveal all the addresses that have been sending emails to your domain. After you have implemented SPF/DKIM on legitimate mail sources, fraudulent messages will become evident as they fail DMARC. They will also originate from servers that aren’t yours or authorized senders.

Ask that any mail sent to an external system be quarantined if it fails DMARC. You can establish a quarantine policy if you feel that most of your legitimate traffic is protected with DKIM and SPF and that you are aware of the implications of DMARC. It will ask DMARC receivers for messages from your domain to be placed in the local equivalent of a spam mailbox instead of customers’ inboxes.

Ask that the mail system that does not support DMARC be blocked from sending you messages. Once you are confident that your legitimate mail has been authenticated, it is time to implement a rejection policy. It is asking DMARC receivers to reject messages that fail the DMARC check. It is the best and most efficient way to protect your domain. It prevents any un legitimate email from reaching your users.

It is essential to keep in mind that DMARC records for multiple domains are hierarchical. It is a good thing as it allows you to specify fewer high-level DMARC record records for more excellent coverage. However, it is essential to ensure that subdomain DMARC records are not created for domains where the top-level domain is inheriting the domain’s DMARC record.

Better: Use the DMARC solution Microsoft Trusts

Although DMARC deployment on a single domain can be relatively straightforward, large-scale implementations are more complex.

EmailAuth is a great solution to simplify the implementation of DMARC in Office 365-based email environments. It has been proven to reduce spoofed mails from your domain to near-zero levels almost immediately. What could be better than the Microsoft Trusted product to protect your Office 365 outbound email?

Best: Install Azure Sentinel or Microsoft Graph Security API

As fraudsters continue to improve their evasion and deception techniques, companies can’t rely on isolated and fragmented products to protect their customers, employees, suppliers, partners, and customers. As a result, Azure Sentinel, the world’s first cloud-native SIEM/SOAR/UEBA platform from a primary cloud service provider, is at the forefront of a secular trend of consolidation and integration in the cybersecurity stack.

The data connector includes sample queries to help you create additional Azure Sentinel analytics and workbooks. These also include workflows that allow you to gather insights around attack types, policy hits, and most attacked users. Customers who use the federated Microsoft Graph Security API model can also benefit from investigating IOCs and malicious URLs or domains to help them triage and isolate potential threats more effectively.

An integrated security architecture, which includes EmailAuth solutions with Defender For Office 365, Azure Security API, and Graph Security API, allows organizations to use the rich visibility of email security as their first-line defense. It helps reduce the attack surface, strengthen core defenses, and improve overall security posture.

Source: https://medium.com/@rawatnimisha/office-365-dmarc-best-practices-for-protecting-your-company-customers-from-phishing-attacks-9152bfe31752